Python yara.compile() Examples

The following are 30 code examples of yara.compile(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module yara , or try the search function .
Example #1
Source Project: unipacker   Author: unipacker   File: shell.py    License: GNU General Public License v2.0 7 votes vote down vote up
def do_yara(self, args):
        """Run YARA rules against the sample

Usage:          yara [<rules_path>]

If no rules file is specified, the default 'malwrsig.yar' is being used.
Those rules are then compiled and checked against the memory dump of the current emulator state (see 'dump' for further
details on this representation)"""
        if not args:
            if not self.rules:
                try:
                    self.rules = yara.compile(filepath=f"{os.path.dirname(unipacker.__file__)}/malwrsig.yar")
                    print("Default rules file used: malwrsig.yar")
                except:
                    print(f"{Fore.LIGHTRED_EX}Error: malwrsig.yar not found!{Fore.RESET}")
        else:
            self.rules = yara.compile(filepath=args)
        self.sample.unpacker.dump(self.engine.uc, self.engine.apicall_handler, self.sample)
        matches = self.rules.match("unpacked.exe")
        print(", ".join(map(str, matches))) 
Example #2
Source Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 6 votes vote down vote up
def dotnet_resource_names(self):
        """
        Read .NET Resources and return a list of resource names
        :return: list
        """
        try:
            rules = yara.compile(source='import "dotnet" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara DotNet did you enable it?")
        resource_list = []

        def modules_callback(data):
            for i, resource in enumerate(data.get('resources', [])):
                resource_list.append(resource['name'])
            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)
        return resource_list 
Example #3
Source Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 6 votes vote down vote up
def dotnet_resource_by_name(self, resource_name):
        """
        Extract a .NET Resource by name
        :param resource_name:
        :return:
        """
        try:
            rules = yara.compile(source='import "dotnet" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara DotNet did you enable it?")

        def modules_callback(data):
            for i, resource in enumerate(data.get('resources', [])):
                if resource['name'] == resource_name:
                    offset = resource['offset']
                    length = resource['length']
                    self.res_data = self.file_data[offset:offset + length]


            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)
        return self.res_data 
Example #4
Source Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 6 votes vote down vote up
def elf_list_sections(self):
        """
        Read a list of sections from an elf binary
        :return: list of section names
        """
        try:
            rules = yara.compile(source='import "elf" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara ELF did you enable it?")
        section_names = []

        def modules_callback(data):
            for i, section in enumerate(data.get('sections', [])):
                section_names.append(section['name'].decode('utf-8'))
            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)

        return section_names 
Example #5
Source Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 6 votes vote down vote up
def elf_section_by_name(self, resource_name):
        """
        Extract an elf section by name
        :param resource_name:
        :return:
        """
        try:
            rules = yara.compile(source='import "elf" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara ELF did you enable it?")

        def modules_callback(data):
            for i, section in enumerate(data.get('sections', [])):
                if section['name'].decode('utf-8') == resource_name:
                    offset = section['offset']
                    length = section['size']
                    self.res_data = self.file_data[offset:offset + length]
            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)
        return self.res_data 
Example #6
Source Project: rekall   Author: google   File: yarascanner.py    License: GNU General Public License v2.0 6 votes vote down vote up
def __init__(self, *args, **kwargs):
        """Scan using yara signatures."""
        super(YaraScanMixin, self).__init__(*args, **kwargs)

        # Compile the yara rules in advance.
        if self.plugin_args.yara_expression:
            self.rules_source = self.plugin_args.yara_expression
            self.rules = yara.compile(source=self.rules_source)

        elif self.plugin_args.binary_string:
            self.compile_rule(
                'rule r1 {strings: $a = {%s} condition: $a}' %
                self.plugin_args.binary_string)

        elif self.plugin_args.string:
            self.compile_rule(
                'rule r1 {strings: $a = "%s" condition: $a}' %
                self.plugin_args.string)

        elif self.plugin_args.yara_file:
            self.compile_rule(open(self.plugin_args.yara_file).read())

        elif not self.ignore_required:
            raise plugin.PluginError("You must specify a yara rule file or "
                                     "string to match.") 
Example #7
Source Project: aumfor   Author: virtualrealitysystems   File: linux_truecrypt.py    License: GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)
        tasks = linux_pslist.linux_pslist.calculate(self)

        for task in tasks:
            if str(task.comm) != "truecrypt":
                continue

            space = task.get_process_address_space()
            if not space:
                continue
    
            rules = yara.compile(sources = {
               'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
               })

            scanner = PassphraseScanner(task = task, rules = rules)
            for address, password in scanner.scan():
                yield task, address, password 
Example #8
Source Project: aumfor   Author: virtualrealitysystems   File: poisonivy.py    License: GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):

        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
        
        rules = yara.compile(sources = signatures)

        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = malfind.VadYaraScanner(task = task, rules = rules)

            for hit, address in scanner.scan():
                vad_base_addr = self.get_vad_base(task, address)
                if address - vad_base_addr > 0x1000:
                    continue

                yield task, vad_base_addr 
Example #9
Source Project: ACE   Author: IntegralDefense   File: pdf-parser.py    License: Apache License 2.0 6 votes vote down vote up
def YARACompile(ruledata):
    if ruledata.startswith('#'):
        if ruledata.startswith('#h#'):
            rule = binascii.a2b_hex(ruledata[3:])
        elif ruledata.startswith('#b#'):
            rule = binascii.a2b_base64(ruledata[3:])
        elif ruledata.startswith('#s#'):
            rule = 'rule string {strings: $a = "%s" ascii wide nocase condition: $a}' % ruledata[3:]
        elif ruledata.startswith('#q#'):
            rule = ruledata[3:].replace("'", '"')
        else:
            rule = ruledata[1:]
        return yara.compile(source=rule)
    else:
        dFilepaths = {}
        if os.path.isdir(ruledata):
            for root, dirs, files in os.walk(ruledata):
                for file in files:
                    filename = os.path.join(root, file)
                    dFilepaths[filename] = filename
        else:
            for filename in ProcessAt(ruledata):
                dFilepaths[filename] = filename
        return yara.compile(filepaths=dFilepaths) 
Example #10
Source Project: idawilli   Author: williballenthin   File: yara_fn.py    License: Apache License 2.0 6 votes vote down vote up
def test_yara_rule(rule):
    '''
    try to match the given rule against each segment in the current exectuable.
    raise TestDidntRunError if its not possible to import the YARA library.
    return True if there's at least one match, False otherwise.
    '''
    try:
        import yara
    except ImportError:
        logger.warning("can't test rule: failed to import python-yara")
        raise TestDidntRunError('python-yara not available')

    r = yara.compile(source=rule)

    for segment in get_segments():
        matches = r.match(data=segment.buf)
        if len(matches) > 0:
            logger.info('generated rule matches section: {segment.name}')
            return True
    return False 
Example #11
Source Project: Python-Digital-Forensics-Cookbook   Author: PacktPublishing   File: yara_scanner.py    License: MIT License 6 votes vote down vote up
def main(yara_rules, path_to_scan, output):
    if os.path.isdir(yara_rules):
        yrules = yara.compile(yara_rules)
    else:
        yrules = yara.compile(filepath=yara_rules)

    if os.path.isdir(path_to_scan):
        match_info = process_directory(yrules, path_to_scan)
    else:
        match_info = process_file(yrules, path_to_scan)

    columns = ['rule_name', 'hit_value', 'hit_offset', 'file_name',
               'rule_string', 'rule_tag']

    if output is None:
        write_stdout(columns, match_info)
    else:
        write_csv(output, columns, match_info) 
Example #12
Source Project: ida_haru   Author: TakahiroHaruyama   File: yara_fn.py    License: Apache License 2.0 6 votes vote down vote up
def test_yara_rule(rule):
    '''
    try to match the given rule against each segment in the current exectuable.
    raise TestDidntRunError if its not possible to import the YARA library.
    return True if there's at least one match, False otherwise.
    '''
    try:
        import yara
    except ImportError:
        logger.warning("can't test rule: failed to import python-yara")
        raise TestDidntRunError('python-yara not available')

    r = yara.compile(source=rule)

    for segment in get_segments():
        if segment.buf is not None:
            matches = r.match(data=segment.buf)
            if len(matches) > 0:
                logger.info('generated rule matches section: {:s}'.format(segment.name))
                return True
    return False 
Example #13
Source Project: CIRTKit   Author: opensourcesec   File: rat.py    License: MIT License 6 votes vote down vote up
def auto(self):
        if not HAVE_YARA:
            self.log('error', "Missing dependency, install yara (see http://plusvic.github.io/yara/)")
            return

        if not __sessions__.is_set():
            self.log('error', "No session opened")
            return

        rules = yara.compile(os.path.join(CIRTKIT_ROOT, 'data/yara/rats.yara'))
        for match in rules.match(__sessions__.current.file.path):
            if 'family' in match.meta:
                self.log('info', "Automatically detected supported RAT {0}".format(match.rule))
                self.get_config(match.meta['family'])
                return

        self.log('info', "No known RAT detected") 
Example #14
Source Project: SSMA   Author: secrary   File: check.py    License: GNU General Public License v3.0 6 votes vote down vote up
def is_malware(filename):
    if not os.path.exists("rules_compiled/malware"):
        os.mkdir("rules_compiled/malware")
    for n in os.listdir("rules/malware/"):
        if not os.path.isdir("./" + n):
            try:
                rule = yara.compile("rules/malware/" + n)
                rule.save("rules_compiled/malware/" + n)
                rule = yara.load("rules_compiled/malware/" + n)
                m = rule.match(filename)
                if m:
                    return m
            except:
                pass  # internal fatal error or warning
        else:
            pass


# Added by Yang 
Example #15
Source Project: omnibus   Author: InQuest   File: yara.py    License: MIT License 6 votes vote down vote up
def run(self):
        results = {'matches': {}}

        all_rules = list_dir(self.rules)

        for r in all_rules:
            rule = yara.compile(r)
            matches = rule.match(data=open(self.artifact['path'], 'rb').read())

            for m in matches:
                if m.rule not in results['matches'].keys():
                    results['matches'][m.rule] = []
                for tag in m.tags:
                    if tag not in results['matches'][m.rule]:
                        results['matches'][m.rule].append(tag)

        self.artifact['data']['yara'] = results 
Example #16
Source Project: Cortex-Analyzers   Author: TheHive-Project   File: yara_analyzer.py    License: GNU Affero General Public License v3.0 6 votes vote down vote up
def __init__(self):
        Analyzer.__init__(self)

        self.rulepaths = self.get_param('config.rules', None, 'No paths for rules provided.')
        if isinstance(self.rulepaths, str):
            self.rulepaths = [self.rulepaths]

        self.ruleset = []
        for rulepath in self.rulepaths:
            if os.path.isfile(rulepath):
                if rulepath[len(rulepath)-3:] == 'yar':
                    self.ruleset.append(yara.compile(rulepath))
                elif rulepath[len(rulepath)-3:] == 'yas':
                    self.ruleset.append(yara.load(rulepath))
            elif os.path.isdir(rulepath):
                if os.path.isfile(rulepath + '/index.yas'):
                    self.ruleset.append(yara.load(rulepath + '/index.yas'))
                elif os.path.isfile(rulepath + '/index.yar'):
                    self.ruleset.append(yara.compile(rulepath + '/index.yar')) 
Example #17
Source Project: volatility   Author: volatilityfoundation   File: linux_truecrypt.py    License: GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)
        tasks = linux_pslist.linux_pslist.calculate(self)

        for task in tasks:
            if str(task.comm) != "truecrypt":
                continue

            space = task.get_process_address_space()
            if not space:
                continue
    
            rules = yara.compile(sources = {
               'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
               })

            scanner = PassphraseScanner(task = task, rules = rules)
            for address, password in scanner.scan():
                yield task, address, password 
Example #18
Source Project: vortessence   Author: vortessence   File: linux_truecrypt.py    License: GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)
        tasks = linux_pslist.linux_pslist.calculate(self)

        for task in tasks:
            if str(task.comm) != "truecrypt":
                continue

            space = task.get_process_address_space()
            if not space:
                continue
    
            rules = yara.compile(sources = {
               'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
               })

            scanner = PassphraseScanner(task = task, rules = rules)
            for address, password in scanner.scan():
                yield task, address, password 
Example #19
Source Project: vortessence   Author: vortessence   File: poisonivy.py    License: GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
        
        rules = yara.compile(sources = signatures)

        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = malfind.VadYaraScanner(task = task, rules = rules)

            for hit, address in scanner.scan():
                vad_base_addr = self.get_vad_base(task, address)
                if address - vad_base_addr > 0x1000:
                    continue

                yield task, vad_base_addr 
Example #20
Source Project: binaryalert   Author: airbnb   File: compile_rules.py    License: Apache License 2.0 6 votes vote down vote up
def compile_rules(target_path: str) -> None:
    """Compile YARA rules into a single binary rules file.

    Args:
        target_path: Where to save the compiled rules file.
    """
    # Each rule file must be keyed by an identifying "namespace"; in our case the relative path.
    yara_filepaths = {relative_path: os.path.join(RULES_DIR, relative_path)
                      for relative_path in _find_yara_files()}

    # Compile all available YARA rules. Note that external variables are defined but not set;
    # these will be set at runtime by the lambda function during rule matching.
    rules = yara.compile(
        filepaths=yara_filepaths,
        externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
    rules.save(target_path) 
Example #21
Source Project: binaryalert   Author: airbnb   File: yara_mocks.py    License: Apache License 2.0 6 votes vote down vote up
def save_test_yara_rules(rules_save_file: str, empty_rules_file: bool = False):
    """Save compiled test YARA rules to the filesystem, which should already be mocked.

    Args:
        rules_save_file: Path to rules save file.
        empty_rules_file: If true, writes an empty rules file.
    """
    if empty_rules_file:
        sources = {'empty.yar': ''}
    else:
        sources = {'evil_check.yar': EVIL_STRING_RULE, 'externals.yar': RULES_WITH_VARIABLES}

    # Compile YARA rules and save them as an in-memory binary string.
    rules = yara.compile(
        sources=sources,
        externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
    rule_data = io.BytesIO()
    rules.save(file=rule_data)
    rule_data.seek(0)

    # Save the files to the mock filesysytem.
    with open(rules_save_file, 'wb') as file:
        file.write(rule_data.read()) 
Example #22
Source Project: DAMM   Author: 504ensicsLabs   File: linux_truecrypt.py    License: GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)
        tasks = linux_pslist.linux_pslist.calculate(self)

        for task in tasks:
            if str(task.comm) != "truecrypt":
                continue

            space = task.get_process_address_space()
            if not space:
                continue
    
            rules = yara.compile(sources = {
               'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
               })

            scanner = PassphraseScanner(task = task, rules = rules)
            for address, password in scanner.scan():
                yield task, address, password 
Example #23
Source Project: PeekabooAV   Author: scVENUS   File: peekabooyar.py    License: GNU General Public License v3.0 6 votes vote down vote up
def evaluate(self, s):
        rules = yara.compile(
            source='''
            rule peekabooyar
            {
                strings:
                    $peekabooyar1 = "X5O!P%@AP-/_(:)_/-X22x8cz2$PeekabooAV-STD-ANTIVIRUS-TEST-FILE!$H+H*"

                condition:
                    $peekabooyar1
            }'''
        )

        # FIXME: Only user of file_path. Remove?
        with open(s.file_path, 'rb') as sample_file:
            matches = rules.match(data=sample_file.read())

        if matches != []:
            return self.result(Result.bad,
                               "Die Datei beinhaltet Peekabooyar",
                               False)

        return self.result(Result.unknown,
                           "Die Datei beinhaltet kein erkennbares Peekabooyar",
                           True) 
Example #24
Source Project: RATDecoders   Author: kevthehermit   File: test_yara.py    License: MIT License 5 votes vote down vote up
def test_yara_pe():
    yara.compile(source='import "pe" rule a { condition: false }') 
Example #25
Source Project: RATDecoders   Author: kevthehermit   File: test_yara.py    License: MIT License 5 votes vote down vote up
def test_yara_dotnet():
    yara.compile(source='import "dotnet" rule a { condition: false }') 
Example #26
Source Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 5 votes vote down vote up
def pe_resource_id(self, res_id):
        """
        Read resource by its ID. Useful where normal pe file fails. 
        :return: list
        """
        try:
            rules = yara.compile(source='import "pe" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara DotNet did you enable it?")
        resource_list = []

        def modules_callback(data):
            for i, resource in enumerate(data.get('resources', [])):
                if 'id' in resource:
                    if resource['id'] == res_id:
                        offset = resource['offset']
                        length = resource['length']
                        self.res_data = self.file_data[offset:offset + length]
                elif 'name_string' in resource:
                    # Remove null bytes for a better comparison
                    res_name = resource['name_string'].decode('UTF-8').replace('\x00', '')
                    # Check both unicode and plain str versions of name

                    if res_name == res_id or resource['name_string'] == res_id:
                        offset = resource['offset']
                        length = resource['length']
                        self.res_data = self.file_data[offset:offset + length]
            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)
        return self.res_data 
Example #27
Source Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 5 votes vote down vote up
def dotnet_user_strings(self):
        """
        Parse a list of User Strings from a .NET Binary file
        :return: list of strings
        """
        try:
            rules = yara.compile(source='import "dotnet" rule a { condition: false }')
        except yara.SyntaxError:
            print("Error using Yara DotNet did you enable it?")
        user_strings = []

        def modules_callback(data):
            for i, userstring in enumerate(data.get('user_strings', [])):
                # Remove null bytes
                userstring = userstring.replace(b'\x00', b'')

                # Add string to list
                try:
                    user_strings.append(userstring.decode('utf-8'))
                except UnicodeDecodeError:
                    pass

            return yara.CALLBACK_CONTINUE

        rules.match(data=self.file_data, modules_callback=modules_callback)

        return user_strings 
Example #28
Source Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 5 votes vote down vote up
def ascii_strings(self, min_len=4):
        """
        parse a list of ascii strings from a binary file
        :return:
        """
        string_list = []
        chars = b" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
        regexp = b'[%s]{%d,}' % (chars, min_len)
        pattern = re.compile(regexp)
        for s in pattern.finditer(self.file_data):
            string_list.append(s.group())
        return string_list 
Example #29
Source Project: RATDecoders   Author: kevthehermit   File: fileparser.py    License: MIT License 5 votes vote down vote up
def unicode_strings(self, min_len=4):
        string_list = []
        chars = r" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
        regexp = b'((?:[%s]\x00){%d,})' % (chars, min_len)
        pattern = re.compile(regexp)
        for s in pattern.finditer(self.file_data):
            string_list.append(s.group()) 
Example #30
Source Project: RATDecoders   Author: kevthehermit   File: netwire.py    License: MIT License 5 votes vote down vote up
def yara_scan(self, raw_data, rule_name):
        yara_data = []
        yara_rules = yara.compile(source=rule_source)
        matches = yara_rules.match(data=raw_data)
        for match in matches:
            if match.rule == 'opcodes':
                for item in match.strings:
                    if item[1] == rule_name:
                        data = item[2]
                        yara_data.append(data)
        return yara_data